Automation

A powerful low-to-no-code approach that allows your SOC to start automating complex tasks on day one.

Contact sales

Installable workflows

View all

These are additional workflows that you can choose to install from Cisco, its partners, and the Cisco XDR community. These are not installed by default and offer additional use cases beyond the workflows built into Cisco XDR. More information about installable workflows can be found in the Cisco XDR product documentation.

Logo for Secure Endpoint
Cisco Secure Endpoint - Move Computers to Group
Cisco Managed
This incident response workflow allows you to move computers to a group in Cisco Secure Endpoint from a playbook or using an automation rule.
Incident Response
Learn more
C
Cisco XDR - Add Observable to Intelligence Feed
Cisco Managed
This workflow appears in the pivot menu and allows you to add an observable to a threat intelligence feed in Cisco XDR.
Pivot Menu
Learn more
Logo for CrowdStrike Falcon
CrowdStrike - Delete Custom IOCs for Observables
Cisco Managed
This incident response workflow allows you to delete custom IOCs for observables in CrowdStrike from a playbook.
Playbook Task
Learn more
Logo for Jamf Pro
Jamf Pro - Remove Computer from Static Group
Cisco Managed
This workflow appears in the pivot menu and allows you to remove a computer from a static group in Jamf Pro.
Pivot Menu
Learn more
Logo for Umbrella
Umbrella - Remove Observable from Destination List
Cisco Managed
This workflow appears in the pivot menu and allows a user to remove an observable from the configured destination list in Cisco Umbrella.
Pivot Menu
Learn more

Built-in workflows

View all

Workflows typically achieve an end-to-end use case. For example, fetching information from an incident, identifying endpoints to isolate, and requesting isolation for each endpoint. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome by taking one or more smaller steps. The workflows listed here are built into Cisco XDR and do not require installation or, in most cases, configuration. More information about workflows can be found in the Cisco XDR product documentation.

XDR - Close and Export Incident
Cisco Managed
This workflow is designed to be executed when an incident is resolved and ready to be closed.
Learn more
XDR - Identify Vulnerabilities
Cisco Managed
This workflow consumes one or more hostnames and attempts to fetch vulnerability information from all supported products.
Learn more
XDR - Restore IP Addresses
Cisco Managed
This workflow consumes one or more IP addresses and attempts to restore them.
Learn more
XDR - Restore Systems
Cisco Managed
This workflow consumes one or more hostnames and attempts to un-isolate matching endpoints in all supported products.
Learn more
XDR - Restore Users
Cisco Managed
This workflow consumes one or more usernames or email addresses and attempts to restore matching users in all supported products.
Learn more

Built-in actions

View all

Also known as atomic actions, these are small, reusable components you can use when building a workflow. Cisco XDR comes with over 500 actions built in for various products and capabilities or you can build your own. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome and an action as a function within the script. Actions usually do perform a specific, single task like creating a ticket or sending an instant message. More information about built-in actions can be found in the Cisco XDR product documentation.